rodney777
asked on
MS ISA vs. Esoft's Instagate EX2 or others
We have about fourty users here and at the moment are only using a DSL router and NAT for protection. We have finaly talked the partners into getting a decent firewall. One of our consultants says MS ISA is the way to go. Another says his company has had nothing but trouble with MS ISA and they switched to Esoft's Instagate EX2 and they love it. Easy to setup and manage.
Does anyone have an opinion on this or a suggestion on a better firewall?
We are running W2K Servers, Exchange 5.5 (soon to be exchange 2000), DSL for internet access.
Our wants are to have the most secure firewall we can get for under $2500 - $3000. We would like to be able to block just a few specific sites.
Thanks for your advice in advance,
Rodney
Does anyone have an opinion on this or a suggestion on a better firewall?
We are running W2K Servers, Exchange 5.5 (soon to be exchange 2000), DSL for internet access.
Our wants are to have the most secure firewall we can get for under $2500 - $3000. We would like to be able to block just a few specific sites.
Thanks for your advice in advance,
Rodney
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ditto above
ISA is too primitive, not easy to understand, built too cheap, but what do you expect from a SW company?
I dunno on Esoft's Instagate EX2, but see no reason to contradict your source.
Rule of thumb is firewall s/b hardware, and windows is vulnerabale, so get that OS behind as many real protections as you can.
Linux is quite common, for going on the cheap.
ISA is too primitive, not easy to understand, built too cheap, but what do you expect from a SW company?
I dunno on Esoft's Instagate EX2, but see no reason to contradict your source.
Rule of thumb is firewall s/b hardware, and windows is vulnerabale, so get that OS behind as many real protections as you can.
Linux is quite common, for going on the cheap.
ISA is not bad but SEVERELY limited in more complicated setups. Main hindrance is that they do not support full DeMilitarisedZone handling - filtering can only be put completely on one of the two NIC borders and not on the other. Most competitors, e.g. Checkpoint, CA and Cisco, handle this a lot better - so I suppose ESoft would do as well.
Hope this helps,
<Erik> - The Netherlands
Hope this helps,
<Erik> - The Netherlands
agreed, better to do better
While you await, train staff to quit running EM/'net worms like Klez. Firewalls do not stop the humans
While you await, train staff to quit running EM/'net worms like Klez. Firewalls do not stop the humans
ref: http://www.computerworld.com/storyba/0,4125,NAV47_STO70290,00.html
"New variant of Klez worm detected By JAIKUMAR VIJAYAN (April 18, 2002)
A new variant of a worm that takes advantage of vulnerabilities in unpatched Internet Explorer and Outlook Express software from Microsoft Corp. is spreading in the wild, antivirus vendors warned. "
"New variant of Klez worm detected By JAIKUMAR VIJAYAN (April 18, 2002)
A new variant of a worm that takes advantage of vulnerabilities in unpatched Internet Explorer and Outlook Express software from Microsoft Corp. is spreading in the wild, antivirus vendors warned. "
ASKER
Thanks for the info everyone.
We were looking at Watchguard's boxes last year and decided on that but now there seem to be more options and we are just trying to make sure we dont miss something.
I'm looking into checkpoint and netscreen to see how they compare to Esoft's Instagate EX2.
We were looking at Watchguard's boxes last year and decided on that but now there seem to be more options and we are just trying to make sure we dont miss something.
I'm looking into checkpoint and netscreen to see how they compare to Esoft's Instagate EX2.
Another vote for Netscreen here. My organization runs over 200 appliance firewalls, a combination of Checkpoint, PIX, and Netscreen. The Netscreens are by far the nicest of the bunch.
If you're getting by with a DSL router right now, then I would say a Netscreen 10 would do just fine (would actually be a much higher performance firewall). You can pick one up for around $1300.
If you're getting by with a DSL router right now, then I would say a Netscreen 10 would do just fine (would actually be a much higher performance firewall). You can pick one up for around $1300.
I vote for Astaro (www.astaro.com) - someone mentioned this was linux - true enough, but you'd never know it looking at the interface. It seems to have all the functionality of every appliance I've seen, and is infinitely extensible if you know something about linux. I can give you the name of a company that will sell you an astaro "appliance" as a drop-in solution, if you so desire.
While security through obscurity may not be a great idea, security through diversity is not such a bad thing (although it is arguably a subset of security through obscurity). For that reason alone, stay away from MS products when choosing your firewall.
-Jon
While security through obscurity may not be a great idea, security through diversity is not such a bad thing (although it is arguably a subset of security through obscurity). For that reason alone, stay away from MS products when choosing your firewall.
-Jon
My vote is for the Watchguard Fireboxes. They're easy/intuitive to use, fast, reliable, powerful and they have a lot of good features, such as VPN support built (l2tp from firebox, pptp from a standard Windows machine and upgradeable to l2tp from a client if you use their VPN client which isn't expensive).
They also feature NT authentication, which although not perfect is better than a lot of other products. The HTTP Proxy (inc. Web Blocker), FTP PRoxy and SMTP Proxy are handy too).
They also feature NT authentication, which although not perfect is better than a lot of other products. The HTTP Proxy (inc. Web Blocker), FTP PRoxy and SMTP Proxy are handy too).
Another vote on ISA.
A company called Microsoft tried it, and chose an alternative vendor instead.
Case closed. Between the two, one of them is an obvious loser.
A company called Microsoft tried it, and chose an alternative vendor instead.
Case closed. Between the two, one of them is an obvious loser.
Hey people,
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to Mishou.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
No comment has been added in roughly 1 year, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question
be PAQ'd and pts be awarded to Mishou.
Please leave any comments here within the next seven days.
PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!
Zenlion420
EE Page Editor
HOWEVER, this all depends on what kind of "extras" you want, like the ability to plut-in things like anti-virus scanning, content filtering, easy creatin of DMZ's, and secure connectivity for remote users.
For these things, look at the slightly higher end Netscreens, the low-end Cisco PIXes, and the Intrusion Inc. CheckPoint boxes.
MS ISA server does have these things, but as Mishou pointed out, do you really want to have the only protection of your network be a Windows box?